ESB-2018.1335 - [Debian] kernel: Multiple vulnerabilities 2018-05-02

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.1335
                       linux kernel security update
                                2 May 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           kernel
Publisher:         Debian
Operating System:  Debian GNU/Linux 9
Impact/Access:     Root Compromise                 -- Existing Account            
                   Execute Arbitrary Code/Commands -- Existing Account            
                   Access Privileged Data          -- Existing Account            
                   Denial of Service               -- Remote with User Interaction
                   Reduced Security                -- Existing Account            
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-1000199 CVE-2018-10323 CVE-2018-8822
                   CVE-2018-8781 CVE-2018-8087 CVE-2018-7995
                   CVE-2018-7757 CVE-2018-7740 CVE-2018-7566
                   CVE-2018-7480 CVE-2018-5803 CVE-2018-1108
                   CVE-2018-1093 CVE-2018-1092 CVE-2018-1068
                   CVE-2018-1066 CVE-2018-1065 CVE-2017-18257
                   CVE-2017-18241 CVE-2017-18224 CVE-2017-18222
                   CVE-2017-18218 CVE-2017-18216 CVE-2017-18193
                   CVE-2017-17975 CVE-2017-5753 CVE-2017-5715

Reference:         ASB-2018.0009
                   ASB-2018.0002.4
                   ESB-2018.0044
                   ESB-2018.0042.2

Original Bulletin: 
   http://www.debian.org/security/2018/dsa-4188

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4188-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
May 01, 2018                          https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : linux
CVE ID         : CVE-2017-5715 CVE-2017-5753 CVE-2017-17975 CVE-2017-18193
                 CVE-2017-18216 CVE-2017-18218 CVE-2017-18222 CVE-2017-18224
                 CVE-2017-18241 CVE-2017-18257 CVE-2018-1065 CVE-2018-1066
                 CVE-2018-1068 CVE-2018-1092 CVE-2018-1093 CVE-2018-1108
                 CVE-2018-5803 CVE-2018-7480 CVE-2018-7566 CVE-2018-7740
                 CVE-2018-7757 CVE-2018-7995 CVE-2018-8087 CVE-2018-8781
                 CVE-2018-8822 CVE-2018-10323 CVE-2018-1000199

Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.

CVE-2017-5715

    Multiple researchers have discovered a vulnerability in various
    processors supporting speculative execution, enabling an attacker
    controlling an unprivileged process to read memory from arbitrary
    addresses, including from the kernel and all other processes
    running on the system.

    This specific attack has been named Spectre variant 2 (branch
    target injection) and is mitigated for the x86 architecture (amd64
    and i386) by using the "retpoline" compiler feature which allows
    indirect branches to be isolated from speculative execution.

CVE-2017-5753

    Multiple researchers have discovered a vulnerability in various
    processors supporting speculative execution, enabling an attacker
    controlling an unprivileged process to read memory from arbitrary
    addresses, including from the kernel and all other processes
    running on the system.

    This specific attack has been named Spectre variant 1
    (bounds-check bypass) and is mitigated by identifying vulnerable
    code sections (array bounds checking followed by array access) and
    replacing the array access with the speculation-safe
    array_index_nospec() function.

    More use sites will be added over time.

CVE-2017-17975

    Tuba Yavuz reported a use-after-free flaw in the USBTV007
    audio-video grabber driver. A local user could use this for denial
    of service by triggering failure of audio registration.

CVE-2017-18193

    Yunlei He reported that the f2fs implementation does not properly
    handle extent trees, allowing a local user to cause a denial of
    service via an application with multiple threads.

CVE-2017-18216

    Alex Chen reported that the OCFS2 filesystem failed to hold a
    necessary lock during nodemanager sysfs file operations,
    potentially leading to a null pointer dereference.  A local user
    could use this for denial of service.

CVE-2017-18218

    Jun He reported a user-after-free flaw in the Hisilicon HNS ethernet
    driver. A local user could use this for denial of service.

CVE-2017-18222

    It was reported that the Hisilicon Network Subsystem (HNS) driver
    implementation does not properly handle ethtool private flags. A
    local user could use this for denial of service or possibly have
    other impact.

CVE-2017-18224

    Alex Chen reported that the OCFS2 filesystem omits the use of a
    semaphore and consequently has a race condition for access to the
    extent tree during read operations in DIRECT mode. A local user
    could use this for denial of service.

CVE-2017-18241

    Yunlei He reported that the f2fs implementation does not properly
    initialise its state if the "noflush_merge" mount option is used.
    A local user with access to a filesystem mounted with this option
    could use this to cause a denial of service.

CVE-2017-18257

    It was reported that the f2fs implementation is prone to an infinite
    loop caused by an integer overflow in the __get_data_block()
    function. A local user can use this for denial of service via
    crafted use of the open and fallocate system calls with an
    FS_IOC_FIEMAP ioctl.

CVE-2018-1065

    The syzkaller tool found a NULL pointer dereference flaw in the
    netfilter subsystem when handling certain malformed iptables
    rulesets. A local user with the CAP_NET_RAW or CAP_NET_ADMIN
    capability (in any user namespace) could use this to cause a denial
    of service. Debian disables unprivileged user namespaces by default.

CVE-2018-1066

    Dan Aloni reported to Red Hat that the CIFS client implementation
    would dereference a null pointer if the server sent an invalid
    response during NTLMSSP setup negotiation.  This could be used
    by a malicious server for denial of service.

CVE-2018-1068

    The syzkaller tool found that the 32-bit compatibility layer of
    ebtables did not sufficiently validate offset values. On a 64-bit
    kernel, a local user with the CAP_NET_ADMIN capability (in any user
    namespace) could use this to overwrite kernel memory, possibly
    leading to privilege escalation. Debian disables unprivileged user
    namespaces by default.

CVE-2018-1092

    Wen Xu reported that a crafted ext4 filesystem image would
    trigger a null dereference when mounted.  A local user able
    to mount arbitrary filesystems could use this for denial of
    service.

CVE-2018-1093

    Wen Xu reported that a crafted ext4 filesystem image could trigger
    an out-of-bounds read in the ext4_valid_block_bitmap() function. A
    local user able to mount arbitrary filesystems could use this for
    denial of service.

CVE-2018-1108

    Jann Horn reported that crng_ready() does not properly handle the
    crng_init variable states and the RNG could be treated as
    cryptographically safe too early after system boot.

CVE-2018-5803

    Alexey Kodanev reported that the SCTP protocol did not range-check
    the length of chunks to be created.  A local or remote user could
    use this to cause a denial of service.

CVE-2018-7480

    Hou Tao discovered a double-free flaw in the blkcg_init_queue()
    function in block/blk-cgroup.c. A local user could use this to cause
    a denial of service or have other impact.

CVE-2018-7566

    Fan LongFei reported a race condition in the ALSA (sound)
    sequencer core, between write and ioctl operations.  This could
    lead to an out-of-bounds access or use-after-free.  A local user
    with access to a sequencer device could use this for denial of
    service or possibly for privilege escalation.

CVE-2018-7740

    Nic Losby reported that the hugetlbfs filesystem's mmap operation
    did not properly range-check the file offset.  A local user with
    access to files on a hugetlbfs filesystem could use this to cause
    a denial of service.

CVE-2018-7757

    Jason Yan reported a memory leak in the SAS (Serial-Attached
    SCSI) subsystem.  A local user on a system with SAS devices
    could use this to cause a denial of service.

CVE-2018-7995

    Seunghun Han reported a race condition in the x86 MCE
    (Machine Check Exception) driver.  This is unlikely to have
    any security impact.

CVE-2018-8087

    A memory leak flaw was found in the hwsim_new_radio_nl() function in
    the simulated radio testing tool driver for mac80211, allowing a
    local user to cause a denial of service.

CVE-2018-8781

    Eyal Itkin reported that the udl (DisplayLink) driver's mmap
    operation did not properly range-check the file offset.  A local
    user with access to a udl framebuffer device could exploit this to
    overwrite kernel memory, leading to privilege escalation.

CVE-2018-8822

    Dr Silvio Cesare of InfoSect reported that the ncpfs client
    implementation did not validate reply lengths from the server.  An
    ncpfs server could use this to cause a denial of service or
    remote code execution in the client.

CVE-2018-10323

    Wen Xu reported a NULL pointer dereference flaw in the
    xfs_bmapi_write() function triggered when mounting and operating a
    crafted xfs filesystem image. A local user able to mount arbitrary
    filesystems could use this for denial of service.

CVE-2018-1000199

    Andy Lutomirski discovered that the ptrace subsystem did not
    sufficiently validate hardware breakpoint settings.  Local users
    can use this to cause a denial of service, or possibly for
    privilege escalation, on x86 (amd64 and i386) and possibly other
    architectures.

For the stable distribution (stretch), these problems have been fixed in
version 4.9.88-1.

We recommend that you upgrade your linux packages.

For the detailed security status of linux please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/linux

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlron7dfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0Se0xAAmR31jrqeEkJhgh7qvKplrko9N27l7FCCrrqsR0cBjKtIpwBkIdm6UxP2
8HBxqK5oy3sUP/ViHBtTUqFlRbLq4fC2DsuJGGqtBk46yML4QOEV2CXA1gyhfSzG
ux5Z5nNkLDbzD7jPazbTwMusbQrDItojj6K5aoDVoRjjOpRHRViHv81kRU3KJytX
62f/vnEjxX0xkSOqLKXcUNDczLjcP2VxuKFb3si6w7YyCXq6XYhvoDch92QLJZfD
qtDUCKs1sEgWLzhktcYyhck3NGujSfLZuSLGnZowqGqaAvx/lq0sTOliKuPpnG+I
HztPR0iYQCuzsDgHbLlwGyuUnf446VRG+u/AP69qk0HqyWwCXqsTJ0rwMX04fXtR
7dR8Y1jbbXaH0+ai9V6c3zdz4UKH5rZOkpIIYSjCxVHUpE2cU4lFXYiWL/qJRBGV
150TtSgyAPBBBJa6cWgApXrHgriGEkZNscH2nmJfg2OBnDwnLJ4CvwNfij7daR8n
RlGOlvgKYCI1Ob54kKqvvxQhDrhTiBhti8T64wd2MzsrKLIRdlyTpSrsqK8VIJyg
ux1Y01sgA3JqS2XKL52ZTgCJhGkoX68+/se73P+jeRBP/tbNcXB2t2cE6gxIkiTX
eZEUmnS5IeoEcr7cYKm3M9GZvBBrVeTaFra3vSgeGDUr0XL2Yu4=
=uZGQ
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWulSkox+lLeg9Ub1AQio8g/9GrWMIX8mtOlkypFo3uVXnN61gYcwJzAG
g5RF0OPMvq8qhg+gvDiebUOajMpDKOKfTUr7r/kC4n5XUmHbCxZAMjiQiKV4PBI/
mJFJRp9ZpVR9NJ76Zc8uUQ/rbmF3iIRWZVcKLsRWxld17vXzLj8I0AQNnBZ9Ezic
fu9zo9Uw6YiWVtfMo44o5Fy9CSsNmtXP61JmACb9Em/xDE+LcWPnwmnCFMr1Evi2
cH5zdYg4fcREB3B3WfLAbJQlLL28xHo4PNhUQOY5lPaET6dnoYjvaTvWrb/EmyZ/
4uyfxDi4eJbfMk6hnJeLjgrF/ou+JwNchAVCuS6+z+FknIRdApaQJoObAvAb/QhB
Y/LVfJyk1xAO7z6Cib9C1/taxSRkcJovUh7wV5k4Kxf+gfHtKV8i4K2FGxhHjv+V
LclTzTqF2yiWy0SKmZ9o5Zyc2AzYK+9Mr437k8YLl1aJGz/p0b6sLHyBu6u1+TUE
NeFazy3PLI5GKVrS82YEQA0a2oBPrgz98/L+U2LplcZTPZ+Qckd2qNzPbLhlE/Br
BodqCtriaTvgslorRceUeVMxOknMf86Lqly01Tmb0EyQyM4USgwr4scjF/Q1ZkwP
uoZ7rFVtKepbGPgvKiftZTNig/bXreJFFiVwHEcc0FWPRcaJgwxOid/9gndZLg/r
uXd6qvDTDe4=
=z6qt
-----END PGP SIGNATURE-----

« Back to bulletins